[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

RE: [XaraXtreme-dev] Installation options


I didn't think such a move would go down well. I thought that the
package managers were only supposed to point to repositories of software
that had been built, tested and approved for that distribution by the
providers of the distribution. But if this would be accepted then this
is a good option.

Well it's certainly what WINE do. On Ubuntu at least there is a
pretty well documented user interface for it. I've never heard criticism
of it. But if you are in multiverse (or for that matter non-free on
debian) you won't need to (except for those who perhaps want more
frequent updates). And once CDraw is GPL'd you can be in something
more prominent than multi-verse or non-free.

IE isn't this only a problem whilst you are not in ANY debian or
Ubuntu distro? Shouldn't that be the way to get the stable version
(at least) out?

Note adding a repository does NOT overwrite the existing repositories.

But won't it get confusing once the main distribution repositories also
contain a Xara LX package? Perhaps it won't matter which one users
choose as long as we use the same package version numbering scheme and
same file locations, etc.

If the package is named the same, has the same versioning info and
the same contents, it won't matter. If you have different versions
and label them properly, the user will get the options (like a
stable or an unstable version). See, for instance, thunderbird-1.5
vs thunderbird 1.0, php4 vs php3, gcc4.xx vs gcc3.xx all of which
coexist reasonably happy in a single distribution. Clearly you
wouldn't want to present EVERY version as an alternative to the
user, but offering a "stable" line and a "bleeding edge" line
seems reasonable. But I presumed the "stable" line would get into
the distros themselves.

> On Fedora it's better because "yum localinstall" seems to do the
> job, though it refuses to install rpm files that aren't signed,
> first tweaking it's config.

Can't you self-sign them?

How do I do that? I thought I had to use gpg to generate keys and setup
a key server somehow.

You can self-sign with gpg. Just set up your own certificate and sign
using its private key. You can publish the certificate on the web.
Obviously the distributions won't recognize the signing key by default
and will say "I don't recognize the XARA key as it isn't in the Ubuntu
keyring" (or whatever the message says) but the user can continue anyway.
If they are really fussed, they can add the certificate.

Well that would work, but why wouldn't you make it (for instance) add
repository. Note either way you'll have to get their root password at
point in order to do apt-get (gksudo will do this in a pretty box).
people might be understandably hesitant about this.

Yes, the script would have to be run as root. Good point about users
being reluctant to do this, so this probably isn't a good option.

Well the script can just do
gksudo apt-get install [blah]

which will bring up the box. ANY installation has to be done as
root, so installing ANY .deb has the possibilities of installing
nasties. That's exactly why they are signed! (see above). Suspicious
people will have a look at the .deb first.

Ok, so it seems the best way forward is for us to just provide an rpm
and deb file on our web site for now. Along with (not as simple as we'd
like) instructions on how to install each one. Then once we're confident
about the packages we're building, we can look at providing them via a
repository as well.

I would guess so. It's also "what everyone else does". You might
also want to test out one of the "universal installers".

I don't think you should discount the debian/ubuntu repository
idea. It's really pretty simple, IIRC just creating a directory
on your web site and a couple of files, though Joachim will know
much better than me.